Merrok
Magic Tomato
- Joined
- Jun 18, 2009
- Messages
- 176
- Solutions
- 7
- Reaction score
- 209
Cryptography Basics
Since I see lots of wrong assumptions about what IT-Security actually is and how it is practiced i thought I'd write a "small" thread on the topic to help you make your OT and personal data more secure.
Please be aware that i will just talk about basics and not go deeper into the matter. You are welcome to ask or google(or duckduckgo) for further information on certain topics.
Let's start with some basics. I know it's boring theory, but you will need to know this to understand further explanations.
Security goals
Core security goals: CIA
Encryption and Hashing often get mixed up. In the following I will explain Encryption and Hashing as well as differences between those.
Encryption
explanation: An encryption algorithm maps a plaintext to a ciphertext. The point of encryption is to ensure confidentiality. Without the key to decrypt the message, it is basically impossible to get the plaintext out of the ciphertext. Now there are 2 typs of encryption, symmetric encryption and asymmetric encryption.
Symmetric Encryption
Symmetric encryption has one key to encrypt and the same to decrypt. This key must be held secret for the purpose of third parties being unable to decrypt your message. An example for a symmetric encryption is AES. It is the standard symmetric algorithm and used in many protocols like TLS, WPA2 or SSH. I will not go deeper into the matter since I do not think it is relevant at this point.
Asymmetric Encryption
Asymmetric encryption works with a public and a private key. The public keys purpose is to encrypt the plaintext and only the private key is able to decrypt the message. So the private key must be kept secret while the public key can be sent to the partner so he is able to encrypt the message.
An example would is RSA, DH or ECC.
ECC (Elliptic Curves) are a very good alternative to the normal suspects of asymmetric encryption. Algorithms based on ECC can be way smaller for the same amount of security. For example A 2048Bit key in RSA has the same level of security as a 224Bit key in ECC.
I will dedicate an own post just for the topic of RSA, since it is the algorithm used to secure the Tibia connection and I will go deeper into the mathematics behind it.
I know it might be annoying to have a different RSA key for every server and therefore (so far) a different client per OT, but it is a necessary effort to make the ot scene more secure.
Hashing
A hashing algorithm maps a plaintext to a hash. It's purpose is to ensure the integrity and authenticity. There are different algorithms to hash text. The most known are MD5, SHA1, SHA2 and now even SHA3. The most common ones are sadly still SHA1 and MD5. Those are old, broken and cracked. They are outdated and should not be used anymore. You might as well transfer your data in plaintext if you use those. Instead you should always use a SHA2 (SHA256 or SHA512) or even a SHA3 algorithm.
Salt
Salts are texts that are added to passwords so that attackers have no possibility to use the information even if they get the hashed password. It also makes rainbow table attacks impossible since a hashed password like "password123" is not going to be the hash it would usually be, but a different one with the added salt. Use salt on your ot!
Signatures
Signing your messages gives you the possibility of ensuring accountability. Signatures are usually done using the asymmetric private key and verified using the public key. You sign your message using the key so that your partner knows the message was sent by you and noone else.
SSL (TLS)
Now on this topic we will really only scratch the surface since it is quite complicated when we go into the technological part of it. TLS is the more advanced version of the well known SSL, which is basically not supported anymore. It is what you know by https instead of http.
It's purpose is to secure the connection between a website and its' users. It uses different algorithms to negitoate the most secure connection possible, make sure the user is who he says he is and only hand out the information allowed to be given to the user. Its' security goals are integrity and confidentiality. It is a very important feature to have on your website and easy to implement.
For a few years now, big companies have gathered together to make the Internet more secure and support Let's Encrypt in their work of handing out free TLS Certificates to any website. So use their service and protect your website and its' users!
If you use it please also make sure to enforce the https use and redirect any http requests to https.
¹objects are assets that are worth being protected; subjects are active units allowed to use objects
Since I see lots of wrong assumptions about what IT-Security actually is and how it is practiced i thought I'd write a "small" thread on the topic to help you make your OT and personal data more secure.
Please be aware that i will just talk about basics and not go deeper into the matter. You are welcome to ask or google(or duckduckgo) for further information on certain topics.
Let's start with some basics. I know it's boring theory, but you will need to know this to understand further explanations.
Security goals
Core security goals: CIA
- Confidentiality: Protection of unauthorized retrieval of Information
- Integrity: Protection of unauthorized modification of data
- Availability: Protection of unauthorized disturbance of the usability of functions
- Accountability: Proof of the originality of the identity of the subject/object¹
- Authenticity: Protection of unallowed denial of performed actions
- Privacy: Anonymity; Securing the untraceability; Protection of personal data
Encryption and Hashing often get mixed up. In the following I will explain Encryption and Hashing as well as differences between those.
Encryption
explanation: An encryption algorithm maps a plaintext to a ciphertext. The point of encryption is to ensure confidentiality. Without the key to decrypt the message, it is basically impossible to get the plaintext out of the ciphertext. Now there are 2 typs of encryption, symmetric encryption and asymmetric encryption.
Symmetric Encryption
Symmetric encryption has one key to encrypt and the same to decrypt. This key must be held secret for the purpose of third parties being unable to decrypt your message. An example for a symmetric encryption is AES. It is the standard symmetric algorithm and used in many protocols like TLS, WPA2 or SSH. I will not go deeper into the matter since I do not think it is relevant at this point.
Asymmetric Encryption
Asymmetric encryption works with a public and a private key. The public keys purpose is to encrypt the plaintext and only the private key is able to decrypt the message. So the private key must be kept secret while the public key can be sent to the partner so he is able to encrypt the message.
An example would is RSA, DH or ECC.
ECC (Elliptic Curves) are a very good alternative to the normal suspects of asymmetric encryption. Algorithms based on ECC can be way smaller for the same amount of security. For example A 2048Bit key in RSA has the same level of security as a 224Bit key in ECC.
I will dedicate an own post just for the topic of RSA, since it is the algorithm used to secure the Tibia connection and I will go deeper into the mathematics behind it.
I know it might be annoying to have a different RSA key for every server and therefore (so far) a different client per OT, but it is a necessary effort to make the ot scene more secure.
Hashing
A hashing algorithm maps a plaintext to a hash. It's purpose is to ensure the integrity and authenticity. There are different algorithms to hash text. The most known are MD5, SHA1, SHA2 and now even SHA3. The most common ones are sadly still SHA1 and MD5. Those are old, broken and cracked. They are outdated and should not be used anymore. You might as well transfer your data in plaintext if you use those. Instead you should always use a SHA2 (SHA256 or SHA512) or even a SHA3 algorithm.
Salt
Salts are texts that are added to passwords so that attackers have no possibility to use the information even if they get the hashed password. It also makes rainbow table attacks impossible since a hashed password like "password123" is not going to be the hash it would usually be, but a different one with the added salt. Use salt on your ot!
Signatures
Signing your messages gives you the possibility of ensuring accountability. Signatures are usually done using the asymmetric private key and verified using the public key. You sign your message using the key so that your partner knows the message was sent by you and noone else.
SSL (TLS)
Now on this topic we will really only scratch the surface since it is quite complicated when we go into the technological part of it. TLS is the more advanced version of the well known SSL, which is basically not supported anymore. It is what you know by https instead of http.
It's purpose is to secure the connection between a website and its' users. It uses different algorithms to negitoate the most secure connection possible, make sure the user is who he says he is and only hand out the information allowed to be given to the user. Its' security goals are integrity and confidentiality. It is a very important feature to have on your website and easy to implement.
For a few years now, big companies have gathered together to make the Internet more secure and support Let's Encrypt in their work of handing out free TLS Certificates to any website. So use their service and protect your website and its' users!
If you use it please also make sure to enforce the https use and redirect any http requests to https.
¹objects are assets that are worth being protected; subjects are active units allowed to use objects
Last edited: